chore: bump all dependencies

[gkorland]

Combined Dependency Updates

Consolidates all open Dependabot bump PRs into a single PR.

Python Dependencies (Pipfile)

Package	From	To
fastapi	0.124.0	0.129.2
uvicorn	0.40.0	0.41.0
litellm	1.80.9	1.81.14
playwright	1.57.0	1.58.0
pytest-asyncio	1.2.0	1.3.0

GitHub Actions

Action	From	To
actions/checkout	v4	v6

actions/setup-python, actions/setup-node, actions/upload-artifact, and rojopolis/spellcheck-github-actions were already updated on staging.

npm Dependencies (app/)

Package	From	To	Notes
date-fns	3.6.0	4.1.0	Major ⚠️
next-themes	0.3.0	0.4.6
react-resizable-panels	2.1.9	4.0.13	Major ⚠️
sonner	1.7.4	2.0.7	Major ⚠️
globals (dev)	15.15.0	17.3.0	Major ⚠️

Verification

• ✅ npm run build passes
• ✅ npm run lint passes (no new warnings)
• ✅ pipenv lock succeeds

Note

react-day-picker@8.10.1 has a peer dependency on date-fns@^2.28.0 || ^3.0.0. The upgrade to date-fns@4.1.0 triggers an npm peer dependency warning but does not break the build. Consider upgrading react-day-picker to v9+ in a follow-up.

Consolidates PRs

#421, #420, #419, #418, #417, #416, #415, #414, #413, #412, #322, #321, #319, #318, #317

[railway-app]

🚅 Deployed to the QueryWeaver-pr-422 environment in queryweaver

Service	Status	Web	Updated (UTC)
QueryWeaver	⏭️ Skipped (View Logs)	Web	Feb 23, 2026 at 7:56 am

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

License Issues

Pipfile.lock

Package	Version	License	Issue Type
fastapi	0.129.2	Null	Unknown License
litellm	1.81.14	Null	Unknown License
uvicorn	0.41.0	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/fastapi	0.129.2	Unknown	Unknown
pip/litellm	1.81.14	Unknown	Unknown
pip/playwright	1.58.0	Unknown	Unknown
pip/pytest-asyncio	1.3.0	Unknown	Unknown
pip/starlette	0.52.1	Unknown	Unknown
pip/uvicorn	0.41.0	Unknown	Unknown
npm/date-fns	4.1.0	🟢 3.8	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed
npm/globals	17.3.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 6 Found 16/25 approved changesets -- score normalized to 6 Maintained 🟢 10 18 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/next-themes	0.4.6	🟢 3.8	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 6 Found 16/26 approved changesets -- score normalized to 6 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 1 SAST tool is not run on all commits -- score normalized to 1
npm/react-resizable-panels	4.6.5	Unknown	Unknown
npm/sonner	2.0.7	Unknown	Unknown

Scanned Files

• Pipfile.lock
• app/package-lock.json

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bump/combined-dependency-updates

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}